Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server) - General questions / discussion thread 2

Martineau

Part of the Furniture
I've made some research whitelisting monster.com in Slynet and disabling it at all. No result. Seems unbound fails to ressolve the host for some reason.
So if you stop unbound, can you successfully dig monster.com?

e.g.
Code:
dig monster.com

; <<>> DiG 9.17.13 <<>> monster.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26821
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;monster.com.            IN    A

;; ANSWER SECTION:
monster.com.        300    IN    A    208.71.193.147

;; Query time: 80 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon Dec 06 15:07:21 UTC 2021
;; MSG SIZE  rcvd: 56
then if you restart unbound
Code:
um

+======================================================================+
|  Welcome to the unbound Manager/Installation script (Asuswrt-Merlin) |
|                                                                      |
|                      Version 3.23bC by Martineau                     |
|                                                                      |
+======================================================================+
Warning unbound not running!! - Config last loaded info: # Version=v1.13 Martineau update (Date Loaded by unbound_manager Sun Nov 21 10:44:42 GMT 2021)

i  = Update unbound and configuration ('/opt/var/lib/unbound/')    
z  = Remove unbound/unbound_manager                    v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
3  = Advanced Tools                                    rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                    

rs = Restart (or Start) unbound (use 'rs nocache' to flush cache)

e  = Exit Script [?]

A:Option ==> rs

15:07:47 Checking 'unbound.conf' etc. for valid Syntax.....
15:07:47 Requesting unbound (S61unbound) restart.....
Starting unbound...              done.
15:07:49 Checking status, please wait.....
15:07:58 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2021-12-06 15:07:08) msg.cache=2682/2678 rrset.cache=7724/7722
15:07:58 unbound OK


unbound (pid 19782) is running... uptime: 0 Days, 00:00:12 version: 1.13.2 # Version=v1.13 Martineau update (Date Loaded by unbound_manager Mon Dec 6 15:07:48 GMT 2021)

can you issue the 'dig' request within unbound_manager?
Code:
e  = Exit Script [?]

A:Option ==> dig monster.com


; <<>> DiG 9.17.13 <<>> txt monster.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57957
;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;monster.com.            IN    TXT

;; ANSWER SECTION:
monster.com.        1200    IN    TXT    "ciscocidomainverification=460719eb94004fbc3ffceb58ee7a94d0e45e14d1d224b3f193f0d122a6bdfbae"
monster.com.        14400    IN    TXT    "atlassian-domain-verification=bKSyyEicgY0Nu7x4asJ5ja9ueF/q8H55gAcyMZfz2XKzDvu5sZaC96LCfSoibq82"
monster.com.        1200    IN    TXT    "onetrust-domain-verification=0ec2972887414a679d57a96ccc29b5b0"
monster.com.        1200    IN    TXT    "v=spf1 include:spf.monster.com include:partner_spf.monster.com -all"
monster.com.        3600    IN    TXT    "MS=ms50474575"
monster.com.        1200    IN    TXT    "google-site-verification=zXNA4jzGldUrb4WTfbWVyylyVgZRuVjpzS94ul_sr4g"
monster.com.        1200    IN    TXT    "google-site-verification=rRq11A1dCsb5_qBT_3Fs9Sag5f8Wm5t58e05wQAESa0"
monster.com.        1200    IN    TXT    "adobe-idp-site-verification=7452b219-e19d-43c7-b5fb-a381f17b01e6"
monster.com.        1200    IN    TXT    "GOytBs9lVe7A6ONbpEz1H+ouv1k8wnclMo3W48PX7mnZBaxXqJpJxTR5cdRPkUnunTbWui64V/PCEOOZDZsEXg=="
monster.com.        1200    IN    TXT    "facebook-domain-verification=nxqqu1usearteri105exfg33t1yyos"
monster.com.        1200    IN    TXT    "webexdomainverification.=d6c0c09e-1efb-4b83-ac2c-c8b15118cc48"
monster.com.        1200    IN    TXT    "google-site-verification=ecvdyQLuC440qHVOKlQG9McMXmlqn5oJzuskNAFssDk"

;; Query time: 220 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon Dec 06 15:08:16 UTC 2021
;; MSG SIZE  rcvd: 997


; <<>> DiG 9.17.13 <<>> monster.com @127.0.0.1 -p 53535
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62030
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;monster.com.            IN    A

;; ANSWER SECTION:
monster.com.        1200    IN    A    208.71.193.147

;; Query time: 80 msec
;; SERVER: 127.0.0.1#53535(127.0.0.1) (UDP)
;; WHEN: Mon Dec 06 15:08:16 UTC 2021
;; MSG SIZE  rcvd: 56
 
Last edited:

Martineau

Part of the Furniture
How do I make the Graphical Display option sticky? After I enable it, later when the router reboots, that option goes back to disabled, requiring me to go back into amtm to reenable it. But for the time that it is off, I do not have statistics, even if I do an Update Stats.

Update: I tried 3.23bC to see if it fixed this problem but it did not. Is there something I need to add to a config file to have this option enabled after a reboot?
Without diagnostics it is difficult to speculate on the root cause.

e.g use the following
Code:
df

ls -lah /tmp/var/wwwext | grep -TE "user[1-9]+.*";grep -TH . /tmp/var/wwwext/*.title;grep -THE "user[1-9]+." /tmp/menuTree.js
before and after uninstalling/reinstall the statistics GUI
Code:
um

+======================================================================+
|  Welcome to the unbound Manager/Installation script (Asuswrt-Merlin) |
|                                                                      |
|                      Version 3.23bC by Martineau                     |
|                                                                      |
+======================================================================+
unbound (pid 19782) is running... uptime: 0 Days, 01:57:45 version: 1.13.2 # Version=v1.13 Martineau update (Date Loaded by unbound_manager Mon Dec 6 15:07:48 GMT 2021)

i  = Update unbound and configuration ('/opt/var/lib/unbound/')        l  = Show unbound log entries (lo=Enable FULL Logging [log_level])
z  = Remove unbound/unbound_manager                                    v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
3  = Advanced Tools                                                    rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                               oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'

rs = Restart (or Start) unbound (use 'rs nocache' to flush cache)      s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/user3.asp)

e  = Exit Script [?]

A:Option ==> sgui uninstall


##
# ____ ___     ___.                            .___   _________ __          __        
#|    |   \____\_ |__   ____  __ __  ____    __| _/  /   _____//  |______ _/  |_  ______
#|    |   /    \| __ \ /  _ \|  |  \/    \  / __ |   \_____  \   __\__  \   __\/  ___/
#|    |  /   |  \ \_\ (  <_> )  |  /   |  \/ /_/ |   /        \|  |  / __ \|  |  \___ \
#|______/|___|  /___  /\____/|____/|___|  /\____ |  /_______  /|__| (____  /__| /____  >
#             \/    \/                  \/      \/          \/           \/          \/
## by @juched - Generate Stats for GUI tab - v1.4.1                                       
## with credit to @JackYaz for his shared scripts                                     

user3.asp

    unbound GUI graphical stats TAB uninstalled.


unbound (pid 19782) is running... uptime: 0 Days, 01:57:57 version: 1.13.2 # Version=v1.13 Martineau update (Date Loaded by unbound_manager Mon Dec 6 15:07:48 GMT 2021)

i  = Update unbound and configuration ('/opt/var/lib/unbound/')        l  = Show unbound log entries (lo=Enable FULL Logging [log_level])
z  = Remove unbound/unbound_manager                                    v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
3  = Advanced Tools                                                    rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                               oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'

rs = Restart (or Start) unbound (use 'rs nocache' to flush cache)      s  = Show unbound Extended statistics (s=Summary Totals; sa=All; sgui=Install GUI TAB [all]; s-=Disable Extended Stats)

e  = Exit Script [?]

A:Option ==> sgui

unbound-control set_option 'extended-statistics yes' ok
Option Auto Reply 'y'  
    Installing GUI TAB to Graphically display unbound stats.....
    unbound_stats.sh downloaded successfully
    unboundstats_www.asp downloaded successfully
    unbound_log.sh downloaded successfully

##
# ____ ___     ___.                            .___   _________ __          __        
#|    |   \____\_ |__   ____  __ __  ____    __| _/  /   _____//  |______ _/  |_  ______
#|    |   /    \| __ \ /  _ \|  |  \/    \  / __ |   \_____  \   __\__  \   __\/  ___/
#|    |  /   |  \ \_\ (  <_> )  |  /   |  \/ /_/ |   /        \|  |  / __ \|  |  \___ \
#|______/|___|  /___  /\____/|____/|___|  /\____ |  /_______  /|__| (____  /__| /____  >
#             \/    \/                  \/      \/          \/           \/          \/
## by @juched - Generate Stats for GUI tab - v1.4.1                                       
## with credit to @JackYaz for his shared scripts                                     

Mounting Unbound_Stats.sh WebUI page as user3.asp
Saving MD5 of installed file /jffs/addons/unbound/unboundstats_www.asp to /jffs/addons/unbound/www-installed.md5

##
# ____ ___     ___.                            .___ .____                
#|    |   \____\_ |__   ____  __ __  ____    __| _/ |    |    ____   ____
#|    |   /    \| __ \ /  _ \|  |  \/    \  / __ |  |    |   /  _ \ / ___\
#|    |  /   |  \ \_\ (  <_> )  |  /   |  \/ /_/ |  |    |__(  <_> ) /_/  >
#|______/|___|  /___  /\____/|____/|___|  /\____ |  |_______ \____/\___  /
#             \/    \/                  \/      \/          \/    /_____/
## by @juched - Process logs into SQLite3 for stats generation - v1.5                    

unbound_log.sh
Logfile used is /opt/var/lib/unbound/unbound.log
Date used is 2021-12-06 (7 days ago is 2021-11-29)
Date used is 2021-12-06 (30 days ago is 2021-11-06)
Creating nx_domain table if needed...
Deleting old nx_domain records older than 7 days...
Creating reply_domain table if needed...
Deleting old reply_domain records older than 7 days...
Creating rpz_events table if needed...
Deleting old rpz_events records older than 30 days...
(unbound_log.sh): 7412 Processed 0 reply_domains...

Removing reply lines from log file...
Running SQLite to import new reply records...
(unbound_log.sh): 7412 Processed 0 nx_domains...

Removing always_nxdomain lines from log file...
Removing static/transparent lines from log file (for performance)...
Running SQLite to import new nx records...
(unbound_log.sh): 7412 Processed 0 RPZ events...

Removing RPZ event lines from log file...
ok
Running SQLite to import new rpz event records...
All done!
Calculated Cache Hit Percentage: 96.25
Adding new value to DB...
Calculating Daily data...
Calculating Weekly and Monthly data...
Outputting histogram performance data...
Outputting answers data...
Outputting top blocked domains...
Outputting top replies ...
Outputting daily replies ...
Calculating DNS Firewall data...
Outputting DNS Firewall Hits ...
 
Last edited:

TonyK132

Senior Member
Here are screen captures while UI is enabled, and after it is disabled.

Edit: I just rebooted the router, and captured screen shots of menuTree.js right after the boot, verified it was disabled, enabled it, then took another screen shot. I also did the df command after I enabled the UI. Let me know what other info you need.
 

Attachments

  • Unbound UI Disabled.PNG
    Unbound UI Disabled.PNG
    307.5 KB · Views: 78
  • Unbound UI Enabled.PNG
    Unbound UI Enabled.PNG
    298.4 KB · Views: 69
  • df Command.PNG
    df Command.PNG
    24.8 KB · Views: 62
  • Unbound Immediately after Boot UI Enabled.PNG
    Unbound Immediately after Boot UI Enabled.PNG
    163.1 KB · Views: 57
  • Unbound Immediately after Boot UI Disabled.PNG
    Unbound Immediately after Boot UI Disabled.PNG
    155.2 KB · Views: 62
Last edited:

L&LD

Part of the Furniture
No, the only thing worthy of note from that old post is that the defaults (from a clean install) still working great today.

Of course, that link will allow you to tinker further, if you wish.
 

gjf

Senior Member
As for my monster.com issue - I have no idea what happened byt today it starts working - right when I tried to check it with dig command.
No idea why - I definetely checked it before and it fails!
Pardon for that. I will let everybody know if it happends again.
 

Treadler

Very Senior Member
A question:

I assumed that Unbound uses DNSSEC.

The Unbound web site advises “If you then dig com. SOA +dnssec you should see the AD flag there.”

Im not seeing the AD flag, does this mean DNSSEC is broken for me?

If I uninstall Unbound & go to say, Cloudflare, with DNSSEC enabled in the router GUI, I get the AD flag just fine.

Confused…….:oops:

Edit: Maybe @Martineau might see fit to comment?
 
Last edited:

chongnt

Very Senior Member
A question:

I assumed that Unbound uses DNSSEC.

The Unbound web site advises “If you then dig com. SOA +dnssec you should see the AD flag there.”

Im not seeing the AD flag, does this mean DNSSEC is broken for me?

If I uninstall Unbound & go to say, Cloudflare, with DNSSEC enabled in the router GUI, I get the AD flag just fine.

Confused…….:oops:
How about test with these sites:

Edit: I think I get what you mean. I try to use dig command and do not see AD flag as well even though the above link test passed.

It seems DNSSEC is working with unbound:
dig www.dnssec-failed.org using my ISP DNS can resolve the ip.
dig @127.0.0.1 www.dnssec-failed.org give me SERVFAIL.
 
Last edited:

kfahoo

Occasional Visitor
is it normal that unbound doesn't return AAAA records?
I've set up he ipv6 tunnel for ipv6 connectivity
 

Martineau

Part of the Furniture
is it normal that unbound doesn't return AAAA records?
I've set up he ipv6 tunnel for ipv6 connectivity
unbound_manager will only set IPv6 directives in the config

e.g. use command
Code:
e  = Exit Script [?]

A:Option ==> vx
to scroll down and see the relevant section....
Code:
#########################################
# integration IPV6
#
do-ip6: no
private-address: ::/0                                 # v1.11 Martineau Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses
# do-ip6: yes
# edns-buffer-size: 1232                           # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/unbound_manager-manager-installer-utility-for-unbound-recursive-dns-serv>
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
if IPv6 is not 'disabled' on the router
Code:
nvram get ipv6_service
 

kfahoo

Occasional Visitor
unbound_manager will only set IPv6 directives in the config
[/CODE]
if IPv6 is not 'disabled' on the router
Code:
nvram get ipv6_service
like I said, tunnel is set up,
e.g. use command
Code:
e  = Exit Script [?]

A:Option ==> vx
to scroll down and see the relevant section....
Code:
#########################################
# integration IPV6
#
do-ip6: no
(...)
I was aware of that, I've switched do-ip6 to yes, unbound is responding on ::1 but it is not returning AAAA records

Code:
; <<>> DiG 9.17.20 <<>> @::1 google.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33682
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;google.com.                    IN      AAAA

;; Query time: 60 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Sun Dec 12 14:10:15 CET 2021
;; MSG SIZE  rcvd: 39

; <<>> DiG 9.17.20 <<>> @2001:4860:4860::8844 google.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28938
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.                    IN      AAAA

;; ANSWER SECTION:
google.com.             300     IN      AAAA    2a00:1450:401b:800::200e

;; Query time: 110 msec
;; SERVER: 2001:4860:4860::8844#53(2001:4860:4860::8844) (UDP)
;; WHEN: Sun Dec 12 14:10:00 CET 2021
;; MSG SIZE  rcvd: 67
 
Last edited:

Martineau

Part of the Furniture
unbound_manager will only set IPv6 directives in the config

like I said, tunnel is set up,

I was aware of that, I've switched do-ip6 to yes, unbound is responding on ::1 but it is not returning AAAA records

Code:
; <<>> DiG 9.17.20 <<>> @::1 google.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33682
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;google.com.                    IN      AAAA

;; Query time: 60 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Sun Dec 12 14:10:15 CET 2021
;; MSG SIZE  rcvd: 39

; <<>> DiG 9.17.20 <<>> @2001:4860:4860::8844 google.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28938
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.                    IN      AAAA

;; ANSWER SECTION:
google.com.             300     IN      AAAA    2a00:1450:401b:800::200e

;; Query time: 110 msec
;; SERVER: 2001:4860:4860::8844#53(2001:4860:4860::8844) (UDP)
;; WHEN: Sun Dec 12 14:10:00 CET 2021
;; MSG SIZE  rcvd: 67
What does the following show?
Code:
unbound-control lookup google.com
 

Ubimo

Very Senior Member
Please help me understand this:
In unbound.config there is a setting called "cache-max-ttl: 21600"
Is this correct, when I say that the cache gets deleted after 6 hours? Or get cached DNS queries deleted after 6 hours?
Why does unbound store the cache for only 6 hours? When I turn on my computer on the next day, there is no cache anymore, right? So I get cachemisses? Where is the profit of unbound then?
Is there a special reason?
Is there a downside when I set this to e.g. 3 days?
I'm a beginner to understand this.
 
Last edited:

kfahoo

Occasional Visitor
What does the following show?
Code:
unbound-control lookup google.com
Code:
The following name servers are used for lookup of google.com.
;rrset 9330 4 0 2 0
google.com.     9330    IN      NS      ns2.google.com.
google.com.     9330    IN      NS      ns1.google.com.
google.com.     9330    IN      NS      ns3.google.com.
google.com.     9330    IN      NS      ns4.google.com.
;rrset 9330 1 0 1 0
ns4.google.com. 9330    IN      A       216.239.38.10
;rrset 9330 1 0 1 0
ns3.google.com. 9330    IN      A       216.239.36.10
;rrset 9330 1 0 1 0
ns1.google.com. 9330    IN      A       216.239.32.10
;rrset 9330 1 0 1 0
ns2.google.com. 9330    IN      A       216.239.34.10
Delegation with 4 names, of which 4 can be examined to query further addresses.
It provides 4 IP addresses.
216.239.34.10           not in infra cache.
216.239.32.10           not in infra cache.
216.239.36.10           not in infra cache.
216.239.38.10           not in infra cache.
 

Kingp1n

Very Senior Member
@Martineau I apologize in advanced in this question has been asked before.

Do you have a timeframe when the unbound beta version script will become part of the stable script? Is the switch-over based on feedback from those trying out the beta?

Thanks again!
 

kfahoo

Occasional Visitor
i've started to mess up with configuration and it started to work, i'm not sure what was the solution
 

Martineau

Part of the Furniture
i've started to mess up with configuration and it started to work, i'm not sure what was the solution
OK, but does the output shown in
remain the same?
 

TonyK132

Senior Member
Here are screen captures while UI is enabled, and after it is disabled.

Edit: I just rebooted the router, and captured screen shots of menuTree.js right after the boot, verified it was disabled, enabled it, then took another screen shot. I also did the df command after I enabled the UI. Let me know what other info you need.
See pics above.
 

Martineau

Part of the Furniture
See pics above.
Thanks, however, my diagnostics command doesn't fully handle more than 9 user files :rolleyes:, so could you please retry
Code:
ls -lah /tmp/var/wwwext | grep -TE "user[1-9]+.*";grep -TH . /tmp/var/wwwext/*.title;grep -THE "user[1-9]+." /tmp/menuTree.js
when the GUI is ENABLED, plus please post the unbound_manager Advanced mode menu

e.g.
1639490465441.png
 

TonyK132

Senior Member
Thanks, however, my diagnostics command doesn't fully handle more than 9 user files :rolleyes:, so could you please retry
Code:
ls -lah /tmp/var/wwwext | grep -TE "user[1-9]+.*";grep -TH . /tmp/var/wwwext/*.title;grep -THE "user[1-9]+." /tmp/menuTree.js
when the GUI is ENABLED, plus please post the unbound_manager Advanced mode menu

e.g. View attachment 37775
See attached menutree.js output, and my current Unbound menu. Sorry but I cannot see how to get the Advanced menu.
 

Attachments

  • Unbound Menu.PNG
    Unbound Menu.PNG
    67.6 KB · Views: 75
  • Menutree_js.PNG
    Menutree_js.PNG
    218.1 KB · Views: 77

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top